Skip to content

Comments

docker/github-builder#275

Merged
mathieu-benoit merged 5 commits intomainfrom
docker-github-builder
Feb 5, 2026
Merged

docker/github-builder#275
mathieu-benoit merged 5 commits intomainfrom
docker-github-builder

Conversation

@mathieu-benoit
Copy link
Owner

@mathieu-benoit mathieu-benoit commented Feb 3, 2026
edited
Loading

Like done there mathieu-benoit/sail-sharp#213, use docker/github-builder on:

  • PR
  • Release for monolith and frontend only, not frontend because need to change source code live, not possible via the reusable workflow.

Not directly related, but I also decided to remove the -dev tags.

Also, second part here #279 and third here: #280.

Use https://github.com/docker/github-builder:

This workflow provides a trusted BuildKit instance and generates signed SLSA-compliant provenance attestations, guaranteeing the build happened from the source commit and all build steps ran in isolated sandboxed environments from immutable sources. This enables GitHub projects to follow a seamless path toward higher levels of security and trust.

Also, before this I was not yet signing (cosign/sigstore) the container image, that's now done by default with this docker/github-builder 🥳

cosign verify \
    --experimental-oci11 \
    --new-bundle-format \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-identity-regexp ^https://github.com/docker/github-builder/.github/workflows/build.yml.*$ \
    ghcr.io/mathieu-benoit/backstage@sha256:c450b6feba8d9f74b850845c50c38a2272d0b5d3abcd35b35e64f3e8e749235d \
    | jq .
Verification for ghcr.io/mathieu-benoit/backstage@sha256:c450b6feba8d9f74b850845c50c38a2272d0b5d3abcd35b35e64f3e8e749235d --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
[
  {
    "critical": {
      "identity": {
        "docker-reference": "ghcr.io/mathieu-benoit/backstage@sha256:c450b6feba8d9f74b850845c50c38a2272d0b5d3abcd35b35e64f3e8e749235d"
      },
      "image": {
        "docker-manifest-digest": "sha256:c450b6feba8d9f74b850845c50c38a2272d0b5d3abcd35b35e64f3e8e749235d"
      },
      "type": "https://sigstore.dev/cosign/sign/v1"
    },
    "optional": {}
  }
]

@github-actions
Copy link
Contributor

github-actions bot commented Feb 3, 2026
edited
Loading

Overview

Image reference backstage:latest backstage:latest
- digest a301735adbee a301735adbee
- tag latest latest
- provenance 221ce73 d97e86a
- vulnerabilities critical: 0 high: 1 medium: 4 low: 1 critical: 0 high: 1 medium: 4 low: 1
- platform linux/amd64 linux/amd64
- size 261 MB 261 MB
- packages 1311 1311
Base Image alpine:3
also known as:
3.23
3.23.3
latest		 alpine:3
also known as:
3.23
3.23.3
latest
- vulnerabilities critical: 0 high: 0 medium: 1 low: 0 critical: 0 high: 0 medium: 1 low: 0

@mathieu-benoit
Remove id-token permission from CI workflow
635cbeb 
Removed id-token write permission for multi-arch builds.
@mathieu-benoit
Enable QEMU setup in CI workflow for frontend
d03bda1
@mathieu-benoit
runner: amd64
c585855
@mathieu-benoit
docker/github-builder for monolith release
b9b17a5 
Removed monolith and backend-dev build jobs, added new build job using docker/github-builder for monolith and backend.
@mathieu-benoit mathieu-benoit merged commit 09eb830 into main Feb 5, 2026
11 checks passed
@mathieu-benoit mathieu-benoit deleted the docker-github-builder branch February 5, 2026 20:49
This was referenced Feb 5, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mathieu-benoit